22 September, 2016

Get Local Administrators group members for all servers in the domain (Powershell)

Hi,

Could not find a script that will enumerate all servers from AD (or specific OU) and give me a centralized CSV output of all the members of the servers local administrators group.

So I wrote one...

The script also enumerate groups members and indicate if the object is a user / computer or group (and then write the group name).
The script also check if the server is reachable and if you can connect via WMI, if nor indicates it in the output.
Console output is available.

Enjoy.

========================================
import-module ActiveDirectory

cls
$array = @()
$test2 = ""

#get local admin function
function get-localadmin {
param ($strcomputer)

$admins = Get-WmiObject win32_groupuser –computer $strcomputer -EV Err -EA SilentlyContinue
$admins = $admins |? {$_.groupcomponent –like '*"Administrators"'}

$admins |% {
$_.partcomponent –match “.+Domain\=(.+)\,Name\=(.+)$” > $nul
$matches[1].trim('"') + “\” + $matches[2].trim('"')
}
}

#list all servers to proccess [replace this with your OU structure]
$Comp = Get-ADComputer -SearchBase 'OU=Servers,dc=domain,dc=local' -Filter '*' | Select -Exp Name

#run on each server
foreach ($ADServer in $Comp) {
    #Test if the server is responsive
    $test = Test-Connection -computername $ADServer -Count 1 -Quiet
    Write-Host "`nProccessing " $ADServer "..." -NoNewLine
    If ($test -eq "True") {
            #run the WMI command and catch errors
            Try { $FnLocalAdmins = get-localadmin $ADServer }
            Catch {
                Write-Host " WMI error`n"
                $test2 = "Error"
                $Properties = @{Server=$ADServer;Admin="WMI Error";Type="Error"}
                $Newobject = New-Object PSObject -Property $Properties
                $array += $newobject
                }
            foreach ($Admins in $FnLocalAdmins) {
                #split the username form the domain or server
                $split = $Admins.Split('\')
                $domain = $split[0]
                $usr = $split[1]
                #Check if the object is local or domain based [Replace this with your domain name]
                If ($domain -eq "YOUR_DOMAIN") {
                    $u = Get-ADObject -Filter {samaccountname -eq $usr} -Properties objectClass
                    #check if the object is user, computer or group
                    Switch ($u.objectclass) {
                        User {
                            $Properties = @{Server=$ADServer;Admin=$usr;Type="Domain"}
                            $Newobject = New-Object PSObject -Property $Properties
                            $array += $newobject
                            ;break}
                        Computer {
                            $Properties = @{Server=$ADServer;Admin=$usr;Type="Computer"}
                            $Newobject = New-Object PSObject -Property $Properties
                            $array += $newobject
                            ;break}
                        Group {
                            $g = get-adgroupmember $usr -recursive
                            foreach ($groupuser in $G) {
                            $Properties = @{Server=$ADServer;Admin=$groupuser.samaccountname;Type=$usr}
                            $Newobject = New-Object PSObject -Property $Properties
                            $array += $newobject }
                            ;break}
                        Default {
                            $Properties = @{Server=$ADServer;Admin=$usr;Type="Bad Object"}
                            $Newobject = New-Object PSObject -Property $Properties
                            $array += $newobject
                            ;break}
                    }
                }
                Else {
                        $Properties = @{Server=$ADServer;Admin=$usr;Type="Local"}
                        $Newobject = New-Object PSObject -Property $Properties
                        $array += $newobject
                }
            }
                #write back to the console that all went ok
                If ($test2 -eq "Error") {$test2 = ""} Else {
                Write-Host " OK"
                $test2 = "" }
    }
    Else {
        Write-Host " Unreachable`n" -NoNewLine
        $Properties = @{Server=$ADServer;Admin="Unreachable";Type="Error"}
        $Newobject = New-Object PSObject -Property $Properties
        $array += $newobject
    }
}  
          
#export the results to a csv file
$array | export-csv -Path "D:\Scripts\Server\Output\LocalAdmins.csv" -Delimiter ";" -NoTypeInformation -Encoding UTF8

1 comment:

  1. This worked perfectly on my environment. thank you for sharing.

    ReplyDelete